Re: action-307, issue-119, absolutely not tracking

Hi David


On Nov 8, 2012, at 15:11 , David Wainberg <david@networkadvertising.org> wrote:

> Hi David,
> 
> I realize you've proposed non-normative. Consider this largely directed at the issue in general.

That was the action, yes, after discussion in Amsterdam.

> 
> <broken record>
> We have not defined tracking.

well, much to my puzzlement I have offered a definition (ages ago), that sought to 'limit the playing field'.  That is, I tried to say "if you are outside this, you are not tracking and hence not our concern" rather than saying "if you are inside this definition, you are tracking".  There was some pushback before I clarified this.  I think it helps both us and the community to have such a 'gateway' at the front the spec.

It is linked from this thread <http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0009.html>


> So how then are we to identify sites that perform no tracking? At best we might allow sites to say that they believe they are not subject to any requirements of the standard. But why wouldn't they be unless they are collecting and using no data at all?

That's certainly one, easy, case.  The most likely, I think, is that they keep short-term logs, so the 'third-party with the short-term raw data retention exception' is the most likely case by far.

> Is that what this is for? But surely these sites collect server logs and such that contain information about users' activity across unaffiliated websites, and is therefore subject to the same risks or harms group members have ascribed to the same data in the hands of third party advertising companies.

Yes, if they keep raw data indefinitely, or cooked data in which users can be identified, they are not 'simple non-tracking sites', alas.

I know many sites don't engage in 'deliberate' tracking, i.e. the reason that they keep data is not a priori to keep records about people.  But a loophole that says "it's OK to have all the ingredients to make X, as long as you don't actually make X or allow the ingredients to be accessed by someone else" is not a great one to leave open (in any area).  Ideas are welcome.

Lacking a better idea, the best I can see is '3' for non-logging sites, '3 + short-term raw-data' for logging sites.

> </broken record>
> 
> -David
> 
> 
> On 11/7/12 12:35 PM, David Singer wrote:
>> (The issue asks for normative text, the action for non-normative, this is non-normative).  We need to tell sites that basically are not in the tracking business what they need to do…
>> 
>> 
>> 
>> 
>> There are circumstances in which sites will appear in as third parties in a transaction, but those sites perform little or no tracking. Such sites might include those providing libraries of resources, such as scripts, style-sheets, or images, or sites providing content intended to be 'mashed up' into other sites. Unfortunately, it is not possible to distinguish, among the sites that do not implement Do Not Track, those that track but do not (yet) implement DNT, and sites that do not track.
>> 
>> For this reason, it is recommended that these non-tracking sites implement a static well-known resource and/or a static DNT response header, indicating their status. The recommended status is '3' (fully third-party compliant, with no qualifiers and no permissions claimed) or '3s' (third party, claiming only the short-term logging permission).  If logging is performed, then complying with the requirements for short-term logging may be necessary, to be compliant under these specifications.
>> 
>> 
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>> 
>> 
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Thursday, 8 November 2012 14:25:11 UTC